Impact
A design flaw in AutoGPT’s MediaDurationBlock causes it to download and store video files without imposing any limits on disk space usage. When used in conjunction with StepThroughItemsBlock, which can loop unboundedly over MediaDurationBlock, an attacker can trigger an uncontrolled, rapid consumption of disk space. The resulting resource exhaustion disables further process execution, effectively denying service. This vulnerability is classified as a resource exhaustion flaw (CWE‑400).
Affected Systems
The affected product is Significant‑Gravitas AutoGPT, any version prior to 0.6.63. Version 0.6.63 contains a patch that removes the unlimited disk usage behavior. Users running earlier releases are vulnerable regardless of deployment environment, as the flaw is embedded in the core logic of the workflow blocks.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity. EPSS data is unavailable, so the probability of exploitation cannot be quantified from the current dataset. The vulnerability is listed outside the CISA Known Exploited Vulnerabilities catalog, implying no publicly documented exploit code. However, the attack vector is straightforward: a malicious user can supply a large number of web page screenshots or media items, or create a long-running loop with StepThroughItemsBlock, forcing disk space to be filled. This makes the flaw relatively easy to trigger in environments where AutoGPT is exposed to untrusted input.
OpenCVE Enrichment